Add missing resources to manage in DSC controller (opendatahub-io#669)

* rbac: add permissions for imagestreams, daemonsets, apiservices Prepare for watching v1 resources (issue opendatahub-io#637) To enable watching for DaemonSet and APIService (REST api resources daemonsets and apiservices) reading/watching permissions required for the operator's role. Otherwise it gets errors like: ``` User "system:serviceaccount:openshift-operators:opendatahub-operator-controller-manager" cannot list resource "daemonsets" in API group "apps" at the cluster scope E1018 20:00:55.374514 1 reflector.go:140] go/pkg/mod/k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169: Failed to watch *v1.DaemonSet: failed to list *v1.DaemonSet: daemonsets.apps is forbidden: User "system:serviceaccount:openshift-operators:opendatahub-operator-controller-manager" cannot list resource "daemonsets" in API group "apps" at the cluster scope ``` For ImageStream `get` permissing is needed for cli.Get() in deploy's manageResources()[1], otherwise it does not set ownersReference (missing the branch apierrs.IsNotFound(err) since err is related to permissions). Autogenerated files: - config/rbac/role.yaml (make manifests) - bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (make bundle) [1] https://github.com/opendatahub-io/opendatahub-operator/blob/13a7e822c0c75f361c319f8256a2d199d031d97c/pkg/deploy/deploy.go#L199 Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com> * DSC controller: manage missing resources previously defined v1 Add the following resources to manage: - PersistentVolumeClaim - Service - DaemonSet - StatefulSet - DeploymentConfig - ImageStream - BuildConfig - CustomResourceDefinition - APIService - Ingress - MutatingWebhookConfiguration - ValidatingWebhookConfiguration - ServiceAccount It requires to add them to the scheme in main.go. Also `go mod tidy` is run to update modules information to make it buildable (keep bisectable). Autogenerated files: - go.mod - go.sum Closes: opendatahub-io#637 Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com> --------- Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com>
VaishnaviHire · Nov 14, 2023 · 91fe6f2 · 91fe6f2
1 parent 0e086b4
commit 91fe6f2
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 1 deletion.
diff --git a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
@@ -289,6 +289,22 @@ spec:
           - list
           - patch
           - watch
+        - apiGroups:
+          - apiregistration.k8s.io
+          resources:
+          - apiservices
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - daemonsets
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - apps
           resources:
@@ -888,6 +904,7 @@ spec:
           verbs:
           - create
           - delete
+          - get
           - list
           - patch
           - update

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -83,6 +83,22 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -682,6 +698,7 @@ rules:
   verbs:
   - create
   - delete
+  - get
   - list
   - patch
   - update

diff --git a/controllers/datasciencecluster/datasciencecluster_controller.go b/controllers/datasciencecluster/datasciencecluster_controller.go
@@ -26,16 +26,22 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/hashicorp/go-multierror"
+	ocappsv1 "github.com/openshift/api/apps/v1"
+	ocbuildv1 "github.com/openshift/api/build/v1"
+	ocimgv1 "github.com/openshift/api/image/v1"
 	v1 "github.com/openshift/api/operator/v1"
+	admv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
 	authv1 "k8s.io/api/rbac/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/retry"
+	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -338,6 +344,19 @@ func (r *DataScienceClusterReconciler) SetupWithManager(mgr ctrl.Manager) error
 		Owns(&appsv1.Deployment{}).
 		Owns(&appsv1.ReplicaSet{}).
 		Owns(&corev1.Pod{}).
+		Owns(&corev1.PersistentVolumeClaim{}).
+		Owns(&corev1.Service{}).
+		Owns(&appsv1.DaemonSet{}).
+		Owns(&appsv1.StatefulSet{}).
+		Owns(&ocappsv1.DeploymentConfig{}).
+		Owns(&ocimgv1.ImageStream{}).
+		Owns(&ocbuildv1.BuildConfig{}).
+		Owns(&apiextensionsv1.CustomResourceDefinition{}).
+		Owns(&apiregistrationv1.APIService{}).
+		Owns(&netv1.Ingress{}).
+		Owns(&admv1.MutatingWebhookConfiguration{}).
+		Owns(&admv1.ValidatingWebhookConfiguration{}).
+		Owns(&corev1.ServiceAccount{}).
 		Watches(&source.Kind{Type: &dsci.DSCInitialization{}}, handler.EnqueueRequestsFromMapFunc(r.watchDataScienceClusterResources)).
 		Watches(&source.Kind{Type: &corev1.ConfigMap{}}, handler.EnqueueRequestsFromMapFunc(r.watchDataScienceClusterResources)).
 		// this predicates prevents meaningless reconciliations from being triggered

diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go
@@ -33,6 +33,10 @@ package datasciencecluster
 // +kubebuilder:rbac:groups="operators.coreos.com",resources=operatorconditions,verbs=get;list;watch
 
 /* This is for operator */
+// +kubebuilder:rbac:groups="apiregistration.k8s.io",resources=apiservices,verbs=get;list;watch
+
+// +kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch
+
 // +kubebuilder:rbac:groups="operators.coreos.com",resources=catalogsources,verbs=get;list;watch
 
 // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch
@@ -136,7 +140,7 @@ package datasciencecluster
 // +kubebuilder:rbac:groups="integreatly.org",resources=rhmis,verbs=list;watch;patch;delete
 
 // +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=patch;create;update;delete
-// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=create;list;watch;patch;delete
+// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=create;list;watch;patch;delete;get
 
 // +kubebuilder:rbac:groups="extensions",resources=replicasets,verbs=*
 // +kubebuilder:rbac:groups="extensions",resources=ingresses,verbs=list;watch;patch;delete;get

diff --git a/go.mod b/go.mod
@@ -23,6 +23,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.28.2
 	k8s.io/apimachinery v0.28.2
 	k8s.io/client-go v11.0.0+incompatible
+	k8s.io/kube-aggregator v0.23.0-alpha.1
 	sigs.k8s.io/controller-runtime v0.16.1
 	sigs.k8s.io/kustomize/api v0.13.4
 	sigs.k8s.io/kustomize/kyaml v0.14.2